Data protection: myths and misses

The EU Data Protection Directive has been around for 15 years, and is now up for revision - but what is it, and how is it relevant to you?

Image: CC-AT Flickr: rpongsaj (Rob Pongsajapan)

From the Tech and Law blog, based on a talk at BarCampLondon8.

Here are a dozen common statements you may have heard about data protection. That doesn't mean they're true. 

 

 

1. “Data protection law aims to protect people’s privacy.” - False

Or rather, half false.

The law was meant to encourage the free movement of data within the EU by harmonising national EU data protection laws while protecting "to a high level" people's fundamental rights, particularly privacy, in relation to the processing of their personal data "wholly or partly by automatic means".

It tries to do this by requiring EU states to make data "controllers", those who decide the "purposes and means" of automated processing of personal data, to register with data protection authorities and to process personal data only in compliance with a set of data protection principles, such as processing personal data fairly and lawfully.

There are other laws which can often better help protect privacy - those on confidential information in the UK; electronic communications privacy rights under the Directive on Privacy and Electronic Communications; the right to respect for private and family life, home and correspondence in article 8 of the European Convention of Human Rights, which in the UK has helped evolve a right to prevent the misuse of private information; and the EU Charter of Fundamental Rights. The Charter actually sets out separate rights to respect for private and family life, home and communications, and to the protection of personal data.

 

2. “Laws across the EU provide the same level of data protection.” - False

The Directive was meant to harmonise data protection laws across the EU, but it's not what's called a "maximum harmonisation" measure, so individual countries are free to go beyond its minimum requirements, and some have.

Whose data gets protected can vary. The penalties for not following the data protection principles can be vastly different across countries too, from a wag of the finger in one country to jail time in another.

 

3. “Personal data” is… well, private information about a person, surely?" - False.

It's "any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity."

That's really wide, and it's meant to be. It could be a name, social security number or NHS number, photo, video, voice; anything objective or subjective relating to an identified or identifiable human being. "The man in the black suit waiting at this traffic light" could identify someone.

What's "personal data" depends not just on its content but on the context too, such as why it's being processed, and the potential impact the processing may have on the person. The value of a house isn't personal data if it's used only to show average property prices in the area, but it is if it's used to work out the owner's tax liability.

But the UK courts have narrowed down the scope of "personal data", which under the UK Data Protection Act 1998 was already narrower than under the Directive anyway, by saying data "relates to" someone only if it affects their privacy. Just because a document mentions someone by name doesn't mean it's automatically their "personal data". The European Commission reportedly weren't impressed, but although they've taken the UK to the second stage of infringement procedures because they don't think UK law properly implements the Directive, their second stage issues don't seem to include the scope of "personal data".

It's also worth mentioning that certain "special categories" of personal data, considered to be particularly sensitive, get more protection under the Directive. For instance, "explicit" consent may be needed for their processing. These include personal data about political opinions, religious beliefs, sex life, race or ethnic origin, and of course, health data. Even trade union membership is included. Interestingly, however, data about finances would not be considered "special category" sensitive personal data.

 

4. “'Processing' personal data involves doing something with it.” - False

"Processing" personal data under the Directive includes just looking at it or accessing it, communicating it, holding or storing it, uploading or downloading it, recording, editing or deleting it - pretty much anything you can do with it, as long as it's done "wholly or partly by automatic means", eg through using a computer, mobile phone, iPad, ebook reader...

That includes publishing or even viewing personal data on a website, sending emails, etc.

Manual processing is caught only if the personal data is in a structured filing system, which might include an address book. Furthermore, in the UK, official health records are included, as are hard copy paper records held by public authorities, so long as they contain "personal data" of course.

 

5. "You can process personal data freely if it's already public knowledge." - False

Personal data that's publicly available, such as email addresses published on the internet in newsgroup postings, is still personal data, and is generally still protected under data protection laws.

In Finland, the tax authorities publish income and tax data. A company set up a service whereby you could send an SMS text to a number with someone's name and area of residence, and get back info on their income and assets. Could the company  escape data protection regulation because the data was already public? The European Court of Justice thought that processing public domain personal data still involved the processing of personal data within the scope of the Directive. However, as a separate matter, they said the company could nevertheless take advantage of an exemption if the Finnish court decided that it applied.

 

6. “Only personal data of EU residents is protected.” - False.

Actually, EU regulators generally take the view that everyone's personal data should be protected, EU or non-EU.

Whether in practice an EU country would take the trouble to follow up a data protection breach if the personal data involved wasn't that of its own citizens or residents is, of course, a different matter.

 

7. "Only EU organisations are caught by EU data protection laws." - False

For starters it isn't EU, it's EEA - this Directive applies across the EEA, not just the EU, so it's good in Norway, Iceland and Liechtenstein too.

Furthermore, it's not just organisations that are caught. People can be data controllers too, if they control the purposes and means to automatically process personal data. 

It's just that there's a let out, what's often called the "household exemption", for people who process personal data "in the course of a purely personal or household activity". In 2003 the European Court of Justice said that this means "activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people."

If you wonder about that last bit and how it affects developments like blogging, social networking and micro-blogging sites such as Twitter, well so do we all. On a strict view, you could become a data controller just by publishing personal data on a blog or social networking site which is public access or which search engines can index. Tightly limiting access to the information only to "self-selected contacts", eg publishing on a private blog, should, however, be okay.

Additionally, other exemptions from data protection law include national security, defence and law enforcement - as expected.

Finally, the Directive catches data controllers who are "established" in the EU, for example, residing or with an office here and who process personal data in the context of their EU activities, or who are not established in the EU but "make use of equipment" in the EU otherwise than for transit through the EU. These data controllers theoretically should be required to comply with EU data protection laws wherever in the world they process personal data, whether the personal data is of EU people or non-EU people.

The "making use of EU equipment" element is how EU regulators say that the Directive applies to US advertisers who plant cookies and the like on the computers of web users living in the EU. This approach is not uncontroversial. Some feel that if the EU wants to catch non-EU organisations or people who deliberately target their services at people in the EU, the EU should say so, rather than adopting the misleading device of "using equipment" in the EU and perhaps straining its meaning.

 

8. "You can easily get hold of all documents an organisation holds that contain your personal data." - False

You're getting the picture now, aren't you?

In the UK, it's not that easy. You have to ask for the information and, unlike most freedom of information requests, you have to pay a fee for it - currently £10. In the case of many organisations which don't know the law, you may also have to convince them that yes, you actually are entitled to the information.

Your subject access right, as it's called, isn't a right to documents; it's a right to find out certain information they hold about you and your personal data. They can't just refuse to give you the information because it's in a document which contains other info that you're not entitled to see. They can blank out or edit out the other stuff, and they should.

Last resort, you could complain to the UK Information Commissioner's Office. They do the best they can, but the government doesn't give them as much funding as many feel they really need in order to do their job properly, so they're stretched more thinly than they perhaps should be.

Don't forget though that the UK courts take a rather restrictive view of what qualifies as personal data, as mentioned above, so you may not get much information for your tenner.

9. "If someone processes your personal data without your consent

• you can get compensation 

• they're committing a criminal offence." 

- False x 2

Remember the data protection principle that says personal data must be processed fairly and lawfully? For that requirement to be satisfied, one of a set list of conditions has to be met, and in addition, the processing has to be fair.

Consent is one of the listed conditions, but it's not the only one. There are other grounds which a data controller can use to legitimately process your personal data, such as the processing being necessary for the performance of a contract you entered into.

So, refusing or withdrawing your consent would put the data controller in breach of data protection laws only if your consent was the sole legitimate basis for their processing.

Say that consent is the only legitimate basis for processing and you refuse it, but they process your personal data anyway. Surely you can get compensation in that case?

Nope. Not in the UK. The Directive requires member states to provide compensation for anyone who suffered damage as a result of an unlawful processing operation, but in the UK, "damage" is taken to mean financial damage. You can get compensation for distress only if you also suffered damage, or if the processing was for special purposes (mentioned at 12 below). It's not easy to prove financial loss resulting from breach of data protection rules, of course, and very few people have managed to win any compensation in the UK. Movie stars Michael Douglas and Catherine Zeta-Jones won only a token amount for this element when unauthorised photos were taken at their wedding, the automated aspect involving the photos being transmitted by ISDN, viewed on screen and published on a Hello! magazine website.  One of the reasons the European Commission moved to second stage infringement proceedings against the UK in relation to the Directive is because they take the view that in the UK "The right to compensation for moral damage when personal information is used inappropriately is also restricted."

What about a criminal offence? In the UK blagging, obtaining or disclosing personal data, is a crime if it was done knowingly or recklessly without the consent of the data controller. That's right, the data controller, the person who holds the data - not the person the data concerns. But it's only punishable by a fine. There could be power to imprison people for this, but the government haven't brought it in yet.

You could always try asking the Information Commissioner's Office to do an assessment of processing that you think is unlawful if you've been directly affected by it.

 

10. “You can stop others from processing your personal data if you don’t want them to.” - False

In the UK, you can only stop your personal data from being processed if -

1. It's direct marketing - you do have the right to stop junk mail and spam.
2. Decisions are made about you, which "significantly affect" you, based only on automated means, such as insurance decisions. You can ask for review by a human and find out the logic behind the automated decision, but there are exemptions, as you'd expect.
3. The processing was based on certain, very limited grounds (like where the processing was necessary for the legitimate interests of the controller or third party receiving the data) and is causing or likely to cause you "unwarranted and substantial" damage or distress.

Of course, if the only basis for the processing was consent, you can stop the processing by withdrawing your consent, as mentioned above.

 

11. “Posting other people’s personal data on Facebook etc is fine.” - False

That's processing personal data by automatic means. If you "determine the purposes and means" of the posting, which you will do as you've decided to post it there for your own reasons, you may be a "controller". (Facebook may be too, but that's a different story.)

Most of us would try to claim the household exemption, but if you have 10,000 "friends" it starts to get a bit harder to say that it's purely personal and domestic. And if you're doing it for work purposes, you can't use the household exemption (although another exemption may help - see 12).

Back in 2003 a Swedish church worker published on her personal website some info about her and some colleagues which described, in a mildly humorous manner, the jobs held by her colleagues and their hobbies. In many cases family circumstances and telephone numbers and other matters were mentioned. She also stated that one colleague had injured her foot and was on half-time on medical grounds.

She hadn't told her colleagues or got their consent and she hadn't notified the Swedish data protection authority, but she took down the pages once she became aware that they "were not appreciated" by her colleagues. She still got prosecuted and fined for not notifying as a data controller and for processing sensitive personal data without consent. The case went all the way up to the European Court of Justice, but she was out of luck. The regulators here are maybe more likely to go after the bigger fish, but who knows. Don't say you weren't warned.

 

12. “Journalists and bloggers can freely publish personal data.” - False

There is a "journalistic exemption", which some may be able to use to process personal data even if they can't take advantage of the household exemption.

Obviously investigative journalists need to be able to record and publish personal data on the people they're investigating without having to let on that they're under the microscope by asking for their consent.

But the exemption goes wider than that. If you process personal data "solely for journalistic purposes or the purpose of artistic or literary expression", you may be able to benefit from this exemption.

However, it's not an absolute unrestricted exemption - freedom of expression has to be balanced against the right to privacy, and sometimes privacy trumps free speech. It really depends on the circumstances.

One good thing about this exemption is that the European Court of Justice have said that "journalistic purposes" is "the disclosure to the public of information, opinions or ideas" by anyone "engaged in journalism", not just the traditional official media. So bloggers may be able to use it too. 

The bad news is that in the UK this broad exemption for journalistic, artistic or literary purposes, which UK law calls "special purposes", has been cut down. It only applies in narrower circumstances. For instance, it can't be used unless the processing is with a view to publishing journalistic, literary or artistic material and the data controller reasonably believes that the publication would be "in the public interest".

 

And finally...

The European Commission is going to propose a modernised version of the Directive next year. It recently issued a Communication (see FAQs) outlining its strategy and approach.

If you have views and want to respond, the deadline is 15 Jan 2011.

Here's a more memorable URL for the consultation - http://bit.ly/dpdcommissionconsultation2010. There was a previous consultation in 2009 before the publication of the Communication, to which there were quite a few responses, which make interesting reading. ORG contributed to the EDRI response.

 

More info

The UK Information Commissioner's Office has a very good website. Check it out. Their response to the Ministry of Justice's call for evidence on data protection in the UK, which the UK will take into account when it is negotiating the expected updates to the Directive, is also worth a read.

EU data protection authorities the Article 29 Data Protection Working Party have produced various opinions and guidance, such as on social networking, search engines, transfer of passenger name records outside the EU, and online behavioural advertising.